I would like to do some experimenting with javascript and encryption and I got curious as to how unpredictable the implementation of the random function is. Has anyone done any hard tests?
Clearly browsers have the ability to generate strong randomness (for ssl). The questions is do they give javascript access to the same strength.
Generally, the random function is not cryptographically strong, for that you need to make sure you are using a cryptographic pseudo-random-number generator.
Generic random functions generally don't use cryptographically strong generation methods because they take longer than simple ones, (eg. Yarrow is more complicated than Mersenne Twister) and require careful management of the entropy pool, which is not a guarantee that Mozilla, cstdlib, etc. want to make to you.
If you need access to cryptographically strong random number generators, I'd look into getting access to the underlying SSL implementation (which a given browser may or may not allow access to).
Each of the JavaScript engines I'm familiar with do not use cryptographically-strong RNGs.
If you need a good source of entropy in a browser (and preferably don't need it very often), I would recommend capturing mouse movement data and running it through a cryptographically-strong hashing algorithm. Existing programs such as the Entropy Gathering Daemon (used with gpg) can be used as a reference for how to implement such a system.
One interesting data point I found is mozilla has a javascript crypto object that isn't fully implemented yet.
Generally you can't rely on pseudo random number generation in javascript to be even remotely cryptographically secure. You might consider implementing your own PNRG using an entropy gathering system, or perhaps using an external source of random numbers such as hotbits.